[strongSwan] VPN works with only 1 remote client. second client logs in and disconnects the first.
Lawrence Chiu
Lawrence_Chiu_TX3 at yahoo.com
Tue Nov 5 19:21:38 CET 2013
Hi Noel,
I have two users set up in ipsec.secrets. iPad uses "user1", the
Android phone uses "user2". But the same problem still persists.
Everything is fine with just iPad. Connect with the Android phone and
iPad gets kicked off. As I am using only the sample files from the
Wiki, I am surprised no one else has experienced this issue? Thank you
for your suggestion.
=== [ /etc/ipsec.secrets ] ===
: RSA vpnKey.pem
user1 : XAUTH "somepass1"
user2 : XAUTH "somepass2"
=== [ EOF ] ===
=== [ /var/log/auth.log ] === (This log from the moment the Android
phone starts connection).
Nov 5 12:16:18 vmware-u003 pluto[27166]: packet from
166.147.65.85:28107: received Vendor ID payload [RFC 3947]
Nov 5 12:16:18 vmware-u003 pluto[27166]: packet from
166.147.65.85:28107: ignoring Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-02]
Nov 5 12:16:18 vmware-u003 pluto[27166]: packet from
166.147.65.85:28107: ignoring Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-02_n]
Nov 5 12:16:18 vmware-u003 pluto[27166]: packet from
166.147.65.85:28107: ignoring Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-00]
Nov 5 12:16:18 vmware-u003 pluto[27166]: packet from
166.147.65.85:28107: received Vendor ID payload [XAUTH]
Nov 5 12:16:18 vmware-u003 pluto[27166]: packet from
166.147.65.85:28107: ignoring Vendor ID payload [Cisco-Unity]
Nov 5 12:16:18 vmware-u003 pluto[27166]: packet from
166.147.65.85:28107: ignoring Vendor ID payload [FRAGMENTATION 80000000]
Nov 5 12:16:18 vmware-u003 pluto[27166]: packet from
166.147.65.85:28107: received Vendor ID payload [Dead Peer Detection]
Nov 5 12:16:18 vmware-u003 pluto[27166]: "ios"[3] 166.147.65.85:28107
#3: responding to Main Mode from unknown peer 166.147.65.85:28107
Nov 5 12:16:18 vmware-u003 pluto[27166]: "ios"[3] 166.147.65.85:28107
#3: NAT-Traversal: Result using RFC 3947: both are NATed
Nov 5 12:16:19 vmware-u003 pluto[27166]: "ios"[3] 166.147.65.85:28107
#3: Peer ID is ID_DER_ASN1_DN: 'C=CH, O=strongSwan, CN=win7.mycompany.local'
Nov 5 12:16:19 vmware-u003 pluto[27166]: "ios"[3] 166.147.65.85:28107
#3: crl not found
Nov 5 12:16:19 vmware-u003 pluto[27166]: "ios"[3] 166.147.65.85:28107
#3: certificate status unknown
Nov 5 12:16:19 vmware-u003 pluto[27166]: "ios"[4] 166.147.65.85:28107
#3: deleting connection "ios" instance with peer 166.147.65.85
{isakmp=#0/ipsec=#0}
Nov 5 12:16:19 vmware-u003 pluto[27166]: "ios"[4] 166.147.65.85:28107
#3: we have a cert and are sending it upon request
Nov 5 12:16:19 vmware-u003 pluto[27166]: "ios"[4] 166.147.65.85:28107
#3: deleting connection "ios" instance with peer 70.139.113.210
{isakmp=#1/ipsec=#2}
Nov 5 12:16:19 vmware-u003 pluto[27166]: "ios" #2: deleting state
(STATE_QUICK_R2)
Nov 5 12:16:19 vmware-u003 pluto[27166]: "ios" #1: deleting state
(STATE_MODE_CFG_R1)
Nov 5 12:16:19 vmware-u003 pluto[27166]: lease 10.0.0.1 by 'vmware1'
went offline
Nov 5 12:16:19 vmware-u003 pluto[27166]: | NAT-T: new mapping
166.147.65.85:28107/7005)
Nov 5 12:16:19 vmware-u003 pluto[27166]: "ios"[4] 166.147.65.85:7005
#3: sent MR3, ISAKMP SA established
Nov 5 12:16:19 vmware-u003 pluto[27166]: "ios"[4] 166.147.65.85:7005
#3: sending XAUTH request
Nov 5 12:16:19 vmware-u003 pluto[27166]: packet from
166.147.65.85:7005: Informational Exchange is for an unknown (expired?) SA
Nov 5 12:16:19 vmware-u003 pluto[27166]: "ios"[4] 166.147.65.85:7005
#3: parsing XAUTH reply
Nov 5 12:16:19 vmware-u003 pluto[27166]: "ios"[4] 166.147.65.85:7005
#3: extended authentication was successful
Nov 5 12:16:19 vmware-u003 pluto[27166]: "ios"[4] 166.147.65.85:7005
#3: sending XAUTH status
Nov 5 12:16:19 vmware-u003 pluto[27166]: "ios"[4] 166.147.65.85:7005
#3: parsing XAUTH ack
Nov 5 12:16:19 vmware-u003 pluto[27166]: "ios"[4] 166.147.65.85:7005
#3: received XAUTH ack, established
Nov 5 12:16:19 vmware-u003 pluto[27166]: "ios"[4] 166.147.65.85:7005
#3: parsing ModeCfg request
Nov 5 12:16:19 vmware-u003 pluto[27166]: "ios"[4] 166.147.65.85:7005
#3: peer requested virtual IP %any
Nov 5 12:16:19 vmware-u003 pluto[27166]: assigning new lease to 'vmware2'
Nov 5 12:16:19 vmware-u003 pluto[27166]: "ios"[4] 166.147.65.85:7005
#3: assigning virtual IP 10.0.0.2 to peer
Nov 5 12:16:19 vmware-u003 pluto[27166]: "ios"[4] 166.147.65.85:7005
#3: sending ModeCfg reply
Nov 5 12:16:19 vmware-u003 pluto[27166]: "ios"[4] 166.147.65.85:7005
#3: sent ModeCfg reply, established
On 11/5/2013 9:35 AM, Noel Kuntze wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Hello Lawrence,
>
> I think to make this work, you have to specify two different pars of XAUTH credentials in ipsec.secrets.
> One for your iPad and one for your Android phone.
>
> Regards
> Noel Kuntze
>
> On 05.11.2013 14:35, Lawrence Chiu wrote:
>> I originally sent this email on 10/4/2013 but I got no replies, and after a month, I still have this problem. Can anyone help?
>>
>> I followed the configuration shown in the wiki for Apple IOS clients.
>> http://wiki.strongswan.org/projects/strongswan/wiki/IOS_(Apple) <http://wiki.strongswan.org/projects/strongswan/wiki/IOS_%28Apple%29>
>>
>> It works on one remote client (iPad). When I connect a second remote client (Android phone) to the VPN, the iPad is disconnected immediately. The ipsec.conf, ipsec.secrets, and strongswan.conf files are same as the wiki example with two changes to support multiple clients (change rightsourceip and removed rightcert).
>>
>> $ diff ipsec.conf ipsec.conf.template
>> < rightsourceip=10.0.0.0/24
>> ---
>>> rightsourceip=10.0.0.2
>>> rightcert=clientCert.pem
>> The /var/log/auth.log is attached starting from when USER #2 connects to the VPN (at this time USER #1 is already connected and everything is working). Thank you.
>>
>> Oct 4 16:56:01 vmware-u003 pluto[5989]: packet from 192.168.0.3:500: received Vendor ID payload [RFC 3947]
>> Oct 4 16:56:01 vmware-u003 pluto[5989]: packet from 192.168.0.3:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
>> Oct 4 16:56:01 vmware-u003 pluto[5989]: packet from 192.168.0.3:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
>> Oct 4 16:56:01 vmware-u003 pluto[5989]: packet from 192.168.0.3:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
>> Oct 4 16:56:01 vmware-u003 pluto[5989]: packet from 192.168.0.3:500: received Vendor ID payload [XAUTH]
>> Oct 4 16:56:01 vmware-u003 pluto[5989]: packet from 192.168.0.3:500: ignoring Vendor ID payload [Cisco-Unity]
>> Oct 4 16:56:01 vmware-u003 pluto[5989]: packet from 192.168.0.3:500: ignoring Vendor ID payload [FRAGMENTATION 80000000]
>> Oct 4 16:56:01 vmware-u003 pluto[5989]: packet from 192.168.0.3:500: received Vendor ID payload [Dead Peer Detection]
>> Oct 4 16:56:01 vmware-u003 pluto[5989]: "ios"[5] 192.168.0.3 #4: responding to Main Mode from unknown peer 192.168.0.3
>> Oct 4 16:56:01 vmware-u003 pluto[5989]: "ios"[5] 192.168.0.3 #4: NAT-Traversal: Result using RFC 3947: both are NATed
>> Oct 4 16:56:01 vmware-u003 pluto[5989]: "ios"[5] 192.168.0.3 #4: Peer ID is ID_DER_ASN1_DN: 'C=CH, O=strongSwan, CN=win7.mycompany.local'
>> Oct 4 16:56:01 vmware-u003 pluto[5989]: "ios"[5] 192.168.0.3 #4: crl not found
>> Oct 4 16:56:01 vmware-u003 pluto[5989]: "ios"[5] 192.168.0.3 #4: certificate status unknown
>> Oct 4 16:56:01 vmware-u003 pluto[5989]: "ios"[6] 192.168.0.3 #4: deleting connection "ios" instance with peer 192.168.0.3 {isakmp=#0/ipsec=#0}
>> Oct 4 16:56:01 vmware-u003 pluto[5989]: "ios"[6] 192.168.0.3 #4: we have a cert and are sending it upon request
>> Oct 4 16:56:01 vmware-u003 pluto[5989]: "ios"[6] 192.168.0.3 #4: deleting connection "ios" instance with peer 70.139.113.210 {isakmp=#2/ipsec=#3}
>> Oct 4 16:56:01 vmware-u003 pluto[5989]: "ios" #3: deleting state (STATE_QUICK_R2)
>> Oct 4 16:56:01 vmware-u003 pluto[5989]: "ios" #2: deleting state (STATE_MODE_CFG_R1)
>> Oct 4 16:56:01 vmware-u003 pluto[5989]: lease 10.10.4.1 by 'vmware' went offline
>> Oct 4 16:56:01 vmware-u003 pluto[5989]: | NAT-T: new mapping 192.168.0.3:500/4500)
>> Oct 4 16:56:01 vmware-u003 pluto[5989]: "ios"[6] 192.168.0.3:4500 #4: sent MR3, ISAKMP SA established
>> Oct 4 16:56:01 vmware-u003 pluto[5989]: "ios"[6] 192.168.0.3:4500 #4: sending XAUTH request
>> Oct 4 16:56:01 vmware-u003 pluto[5989]: packet from 192.168.0.3:4500: Informational Exchange is for an unknown (expired?) SA
>> Oct 4 16:56:01 vmware-u003 pluto[5989]: "ios"[6] 192.168.0.3:4500 #4: parsing XAUTH reply
>> Oct 4 16:56:01 vmware-u003 pluto[5989]: "ios"[6] 192.168.0.3:4500 #4: extended authentication was successful
>> Oct 4 16:56:01 vmware-u003 pluto[5989]: "ios"[6] 192.168.0.3:4500 #4: sending XAUTH status
>> Oct 4 16:56:01 vmware-u003 pluto[5989]: "ios"[6] 192.168.0.3:4500 #4: parsing XAUTH ack
>> Oct 4 16:56:01 vmware-u003 pluto[5989]: "ios"[6] 192.168.0.3:4500 #4: received XAUTH ack, established
>> Oct 4 16:56:01 vmware-u003 pluto[5989]: "ios"[6] 192.168.0.3:4500 #4: parsing ModeCfg request
>> Oct 4 16:56:01 vmware-u003 pluto[5989]: "ios"[6] 192.168.0.3:4500 #4: peer requested virtual IP %any
>> Oct 4 16:56:01 vmware-u003 pluto[5989]: reassigning offline lease to 'vmware'
>> Oct 4 16:56:01 vmware-u003 pluto[5989]: "ios"[6] 192.168.0.3:4500 #4: assigning virtual IP 10.10.4.1 to peer
>> Oct 4 16:56:01 vmware-u003 pluto[5989]: "ios"[6] 192.168.0.3:4500 #4: sending ModeCfg reply
>> Oct 4 16:56:01 vmware-u003 pluto[5989]: "ios"[6] 192.168.0.3:4500 #4: sent ModeCfg reply, established
>>
>>
>>
>> _______________________________________________
>> Users mailing list
>> Users at lists.strongswan.org
>> https://lists.strongswan.org/mailman/listinfo/users
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.22 (GNU/Linux)
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQIcBAEBCAAGBQJSeRBEAAoJEDg5KY9j7GZYRncP/2j79MpIhNHCOlmxO/4dF6qt
> F19yyvYMXfWzBo1tCEnPP0SCTmVYSppxC2JPt9MFobEmvY/MJJwZBrA559wF+B9U
> R4FeyKAfCgwtMkpuhCdVf4CuOrikkF7HRihnGuBF4FyyDlSNghB77D30BDtU88SP
> L8YcZEn3Vx5i/RHin0xCFvIBcX17rq+iqWkh1ewbYEgvsQXc9aftFRcAIfZyh6NW
> oOWwsIWymdawbUpdMLBzfe+1z/fnP26OCFcAI/2n6Y48WNY2tMhIzo+3Y8CcPV8P
> jK59nAz7YhbgAoL8TjVb5pvw+DiXzmZ9Ap5VawH9fzJjUe++wcJU9CxENaNoqWhU
> 9Jp2MXECxaHNTKs+t7eL4roleOut38sUwcxW/WiAqlS807yzDC22E/DDafsVRhOc
> tvsh60MqERSHWGD38CS1tz4pqtcoB+1Kkulotc9dDTnq2aD+C9L291wswwrLk9lJ
> Alpas+ytP8lAH87NaJMG5Xzjb0RGdtgV+i0U5AAmWeEZ8ShqXM1mod3RDKZniwvp
> WkGZ0rmlBU+jdzNvaGbnBArZ9kjZzoUSL9vtGgqLWvqhEmYtPkqc1lVn3D5p3CSJ
> MczKf9qce2on2Kb0yWJUi5i0/eeL3emReAfclXJiDsgeSSMKEm7wBJGkq2iaeG6B
> cIMhtYg6qF0O2LtT+88D
> =FD1A
> -----END PGP SIGNATURE-----
>
>
More information about the Users
mailing list